Encryption for Document and Data Room Links | Sendpaper
Learn how Sendpaper encrypts your document and data room files and link passwords at rest and in transit.
When you share a document or data room link, two things matter: how data is protected on disk and how it is protected on the wire. Sendpaper is open source, so you can see how we handle encryption. We use encryption at rest and in transit so your files and link settings stay secure end to end.
Encryption at Rest
Documents and data room files you upload are stored using AES-256 encryption at rest. The storage layer encrypts objects by default so that data on disk is not readable without the correct keys. That applies to every file you add to a link or data room. We do not store document content in plain text.
Link-level secrets are also protected at rest. When you set a password on a link, that password is encrypted with AES-256-CTR before it is stored. We use a unique initialization vector (IV) per encrypted value and derive the encryption key from a server-side secret. So even with access to the database, an attacker cannot recover link passwords without that secret. Passwords are never stored in plain text.
Encryption in Transit
All traffic between the viewer’s browser and our servers, and between our servers and storage, runs over TLS. That means document content, link metadata, and authentication data are encrypted in transit. Viewers always open links over HTTPS so nothing is sent in the clear. We use standard TLS so you get the same protection you expect from any modern web app. Because Sendpaper is open source, you can review how we implement encryption and run the same stack in your own environment if you self-host.
How It Fits With the Rest
Encryption is one layer. You also control who can open a link (passwords, email verification, expiry, allowlists), what they can do (view only vs download), and what they leave behind (watermarks, audit logs). Documents are encrypted at rest and in transit; access control and logging tell you who saw what and when. Together that gives you secure sharing you can reason about for fundraising, M&A, and compliance.
Open Source and Transparency
Sendpaper is open source. That means the code that implements encryption, access control, and storage is public. You can inspect how we encrypt documents at rest, how we protect link passwords, and how we enforce view-only or download rules. There is no security through obscurity: the same logic runs whether you use our hosted service or deploy Sendpaper yourself. If you self-host, you get the same AES-256 and TLS behaviour with full control over where your data lives and who holds the keys. For teams that need to verify or audit their document-sharing stack, open source makes that possible without relying on a vendor’s word alone.
Data room demo video
See how to create a data room, upload folders, set permissions, and share one link.
Frequently Asked Questions
Related posts
- Product, GuidesData Room Groups: One Place for Permissions and Analytics | SendpaperUse data room groups in Sendpaper to manage permissions and analytics for investors, buyers, and teams. Create a group once, reuse it on links, and see group-level activity without spreadsheets.
- Product, GuidesHow Sendpaper renders files as images in the viewer (and why it matters) | SendpaperLearn how Sendpaper converts uploaded PDFs into page images for a fast, consistent viewer. We cover what formats can be shown, what processing means, and why a loader appears.
- Product, SecuritySecure PDF Document Sharing: Watermarking, Screenshot Protection, View-Only | SendpaperShare PDFs securely with watermarking, screenshot protection, view-only, and one-click agreement. Password and access control in Share Link and Access Control. One sidebar, all options.